Monday, 9 September 2013

iPhone 5S Fingerprint Sensor: What I think Apple will do with it - it's not just about security!

I am writing this blog a day before Apple's September 10 event where it has been widely predicted by journalists and analysts alike that Apple will launch the next generation iPhone with an embedded fingerprint sensor (EFS).

So how will Apple use the fingerprint sensor?

I have been covering this market for many years now (Goode Intelligence published a report in June 2011 investigating the market for mobile biometrics) and spoke with the team at AuthenTec (Fingerprint Sensor manufacturer) before they were acquired by Apple.

I am currently working on a number of projects for Goode Intelligence that cover this market, a report investigating the market for mobile authentication and identity verification  that covers biometrics and a report taking a look at the security of wearable technology and how it can be used for authentication purposes.
As part of this research I have talked to many biometric technology vendors, including fingerprint sensor manufacturers, buoyed by Apple's potential move in this area. All of them indicate that Apple will tomorrow launch an iPhone with a fingerprint sensor. I share this prediction - it may come back to haunt me tomorrow when we see an iPhone with no sensor - perhaps its an iWatch with a fingerprint sensor!

I predict that Apple could make use of the embedded fingerprint sensor (probably an optical EFS) in the following ways:

Protect the device
My last smartphone was an Android-powered Motorola Atrix 4G - I think I may have been one of the few owners in the UK. It was not a bad smartphone, OK it ran a pretty old version of Android but I could live with that because it had an embedded fingerprint sensor integrated into the rear of the phone doubling up as a power button (see below) - sound familiar? What I loved about this phone was the ability to unlock the device by using the fingerprint sensor (supplied by AuthenTec).

After a pretty simple enrolment process I could use a fingerprint swipe to unlock the device and in approximately 90% of occasions it worked first time. I regularly travel into London, commuting on public trains and tubes and by swiping the sensor with an enrolled finger I could avoid any potential passcode shoulder surfing - a real deterrent against theft.

What I didn't like about this phone, and this is a lesson for any ODM thinking of embedding a biometric sensor into a phone, was the lack of a supporting ecosystem. By using the lock feature, I could conveniently protect my phone from unauthorised use but little else. Motorola, and this is the same mistake made by other fingerprint sensor manufacturers who have sold to laptop and netbook OEMs, didn't create the supporting ecosystem (APIs or SDKs) that could be utilised by other stakeholders, such as third-party app developers and service providers. No one, outside of Motorola, could utilise the benefits of the sensor.

Motorola ATRIX 4G

So enough about Motorola, let us turn to Apple. I believe that Apple will launch with a fingerprint-enabled unlock feature on the iPhone 5S users. To protect this device in a similar manner to the Atrix 4G by unlocking the iPhone by use of  an enrolled finger swiping on pressing the iPhone home button. The iPhone 5S stroke - coming to a train near you soon!

The second feature that I feel will be fingerprint-enabled from tomorrow will be the ability to use a fingerprint in iPhone initiated eCommerce transactions. The iPhone as a payment method. Perhaps without needing NFC (for now anyway).

Apple has become not only a successful computer manufacturer but a very important retailer of digital media. Earlier this year (June 2013), Apple CEO, Tim Cook, announced the there were 575 million registered iTunes accounts around the world. Accounts do not equate to unique users but even so we must be talking of half a billion people who are iTunes users and who have registered their credit cards with Apple.

These 575 million iTunes accounts have downloaded a total of 50 billion apps from the app store and paid for billions of dollars of digital content including films, music and books. According to CNNMoney iTunes generated $12.9 billion in 2012. These figures detail the importance of Apple as a very successful retailer, both on-line and physical (There are a reported 413 physical Apple stores located in 14 countries).

Like any successful retailer Apple will suffer from financial fraud and there have been reports of fraud affecting Apple iTunes. By adding the requirement for a second factor (what you are - your fingerprint) in combination of what you have (the iPhone), fraud surrounding iTunes transactions (for iPhone 5S users) could be significantly reduced.

Fingerprints could also be used to protect Apple's wallet service, Passbook. Apple's vision is to have Passbook as a secure wallet service that contains valuable digital files, boarding passes, loyalty cards, event tickets and retail coupons. A convenient and secure method to protect this valuable information would be to fingerprint-enable Passbook.

Passbook may also be turned into a payment tool. I predict that we will see Passbook being used as a mPayment tool with the user's fingerprint being used to unlock the wallet and then to authenticate transactions. Initially I believe that this will be used (think of it as a pilot) in Apple stores. It could work like this. I am browsing in my local Apple store and I would like to purchase a new MacBook Air. I take my iPhone 5S out, open up the Passbook app and authenticate using my fingerprint. I choose the payment feature and this activates the barcode scanner. I scan in the barcode for the Air and press the 'Buy' button. It asks me to verify my identity and I scan my fingerprint (possibly also entering in my Apple ID passcode, although this may be a bit clunky for a physical store). It verifies me as the account holder and then initiates the transaction (checks whether I have the funds and goes through the fraud management system). Happily for me, and for Apple, I pass all the checks and it sends down a receipt to the phone (contained in the protected Passbook). The receipt could contain a barcode that a retail assistant could check before handing over my lovely shiny new gadget. It could work - quick, convenient and pretty secure.

Will it be open?
In conversations I have with technology vendors working in this space I am always asked my opinion on whether Apple will open up the sensor for third-party use (The authentication vendors may be secretly scared of having their business model disrupted by Apple - not the first and definitely not the last). My answer is a qualified no. Apple's history has been to keep its technology within its garden walls and not to open it up. I believe that any low-level authentication SDKs and APIs that directly call the sensor will be shut off from third-party access. It may wish to add some high-level functions to its iOS development library that make use of the sensor for payment and in-app billing features but, at least for the short-term, I would be surprised that they open it up to authentication vendors.

What may happen is a replication of a trend that we are seeing for consumer end-user authentication. The quasi-federated model where a large, trusted, internet service will provide authentication services on behalf of a third-party service provider. For instance, I can choose to authenticate into my Spotify account using my Facebook ID. Facebook have become the broker for my identity (This also includes Google). Apple could offer a similar sort of service using the fingerprint sensor as part of the response to the challenge. Widen its network, gather vital user intelligence and increase its sphere of influence through identity verification services.

To sum up
I know we have been here before (NFC), but I believe that a piece of security kit that has been hidden away in high-security buildings and been collecting dust on laptops around the world will get the Apple magic tomorrow and Apple will make it work. It is being driven by a combination of convenient security and a desire for Apple to benefit from half a billion credit card owners by enabling iPhone initiated payments at physical stores.

This will have a direct impact on the biometric industry and will propel biometrics into the mainstream.

I welcome any feedback from this blog (including typos and factual corrections).

Disclaimer: This is my personal viewpoint and does not reflect those of my employer, Goode Intelligence. 

No comments:

Post a Comment